Creating OAuth clients for IAP

This page describes how to create an OAuth client, which is required to enable IAP.

Create an OAuth client

You can create a maximum of 36 OAuth clients for each project with the Google Cloud console. You can create a maximum of 500 OAuth clients for each project with the Google Cloud CLI.

Console

Complete the following steps to create an OAuth client by using the Google Cloud console.

Configure the OAuth consent screen by following the instructions in Setting up your OAuth consent screen.
Create an OAuth client by following the instructions in Setting up OAuth 2.0.

gcloud

Known limitations

Following are limitations for OAuth clients created programmatically using the API:

OAuth clients created by the API can only be modified by using the API. You cannot modify an OAuth client using the Google Cloud console if it was created by using the API.
The OAuth clients created by the API are locked for IAP usage only, and therefore the API does not allow any updates to the redirect URI or other attributes.
The API does not operate on the OAuth clients that were created using the Google Cloud console.
Only 500 OAuth clients are allowed per project when using the API.
API-created OAuth consent screen brands have specific limitations. See the section for more information.

Understanding brands and branding state

The OAuth consent screen, which contains branding information for users, is known as a brand. Brands can be limited to internal users or public users. An internal brand makes the OAuth flow accessible to someone who belongs to the same Google Workspace organization as the project. A public brand makes the OAuth flow available to anyone on the internet.

Brands can be created manually or programmatically by using an API. Brands created using an API are automatically configured with the following settings:

Internal. You must manually set to public.
Unreviewed. You must trigger a brand review.

To set an internal brand to public:

Open the OAuth consent screen.
Select a project from the drop-down menu.
On the OAuth consent screen page, note that the User Type is automatically set to Internal. To set it to Public, click Edit App. More configuration options become available.
Under Application type, click Public.

To trigger a brand review for an unreviewed API-created brand:

Open the OAuth consent screen.
Select your desired project from the drop-down menu.
On the OAuth consent screen page, enter any required information, and then click Submit for verification.

The verification process may take up to several weeks, and you will receive email updates as it progresses. Learn more about verification. While the verification process is ongoing, you can still use the application within your Google Workspace organization. Learn more about how your application will behave before it's verified.

Required permissions

Before creating the client, ensure that the caller has been granted the following permissions:

clientauthconfig.brands.list
clientauthconfig.brands.create
clientauthconfig.brands.get
clientauthconfig.clients.create
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.delete
clientauthconfig.clients.update

These permissions are included in the Editor (roles/editor) and Owner (roles/owner) basic roles, however we recommend that you create a custom role that contains these permissions and grant it to the caller instead.

Set up OAuth for IAP

The following steps describe how to configure the consent screen and create and oauth client for IAP.

Configuring consent screen

Check if you already have an existing brand by using the list command. You may only have one brand per project.
```
gcloud iap oauth-brands list
```
The following is an example gcloud response, if the brand exists:
```
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]
applicationTitle: [APPLICATION_TITLE]
supportEmail: [SUPPORT_EMAIL]
orgInternalOnly: true
```
Note: If a brand already exists for a project and has been configured for external users (orgInternalOnly: false), but you want to restrict it to internal users, you must make that change manually from the OAuth consent screen in order to create OAuth clients with this API.
If no brand exists, use the create command:
```
gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
```
The above fields are required when calling this API:
- supportEmail: The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.
  
  Note: The user issuing the request must be an owner of the specified support email address.
- applicationTitle: The application name displayed on OAuth consent screen.
The response contains the following fields:
```
name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]
applicationTitle: [APPLICATION_TITLE]
supportEmail: [SUPPORT_EMAIL]
orgInternalOnly: true
```

Creating an IAP OAuth Client

Use the create command to create a client. Use the brand name from previous step.

gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME

The response contains the following fields:

name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID]
secret: [CLIENT_SECRET]
displayName: [NAME]